Re: RHEL-AS-4.4 and auditd-1.0.14
On Thursday 08 February 2007 23:12, Simon Jones wrote:
I've had a quick look over the archives and couldn't find
anything,
so if this has already been fixed, please be kind...
No one has reported any problem of this kind.
I went from using the standard CAPP.rules example file to the
following audit.rules file:
This reduces what the kernel is doing. Does this also reduce the number of
events hitting your audit logs?
-D
-w /etc -p w -k ETC
This only records writes to the /etc directory and not the files in the /etc
directory.
-w /etc/sysconfig -p w -k SYSCONFIG
-w /caer/e/cnf -p w -k DMS_CNF
-w /caer/g/cnf -p w -k GAS_CNF
-w /bin/su -p x -k SBIN
A glance at cat /proc/slabinfo shows that there may be a memory leak:
After two minutes:
size-32 13447 13447 32 119 1 : tunables 120
60 8 : slabdata 113 113 0
After several hours:
size-32 18598891 18599105 32 119 1 : tunables
120 60 8 : slabdata 156295 156295 0
I wonder if you still see the leak if you load the rules but do not start the
audit daemon? We need to see if its a kernel memory leak or user space. I've
run valgrind against auditd and do not know of any leaks.
Whereas on a server not running the auditd daemon a cat /proc/
slabinfo gives:
After two minutes:
size-32 3556 3808 32 119 1 : tunables 120
60 8 : slabdata 32 32 0
After several hours:
size-32 3601 3808 32 119 1 : tunables 120
60 8 : slabdata 32 32 0
But do you still have the CAPP rules loaded?
I found this https://bugzilla.redhat.com/bugzilla/show_bug.cgi?
id=193542#c15 bug that seems to have a similar problem...
similar but different.
If so has it been fixed in 1.0.15?
No one's reported such an issue...so no one's worked on it. The first step is
determining if the problem is kernel or user space. Please load the CAPP
rules without starting the audit daemon and see what that shows.
Thanks,
-Steve